Re: [PATCH RFC v9 0/7] Introduce the STACKLEAK feature and a test for it

From: Kees Cook
Date: Mon Mar 05 2018 - 14:34:53 EST


On Sat, Mar 3, 2018 at 12:00 PM, Alexander Popov <alex.popov@xxxxxxxxx> wrote:
> This is the 9th version of the patch series introducing STACKLEAK to the
> mainline kernel. STACKLEAK is a security feature developed by Grsecurity/PaX
> (kudos to them), which:
> - reduces the information that can be revealed through kernel stack leak bugs;
> - blocks some uninitialized stack variable attacks (e.g. CVE-2017-17712,
> CVE-2010-2963);
> - introduces some runtime checks for kernel stack overflow detection.

Thanks for continuing to chip away at this! I wonder if it's time to
drop the "RFC" part of this? It seems like this should be ready to
land pretty soon. I can start carrying this in the kspp -next tree,
for example. I'd like to get some sign-off from x86, though.

Boris, Andy, and Dave (Hansen), you've all looked at this; would you
be willing to give an Ack on the x86 parts? (Though I do now see a new
comment from Dave was just sent.) And if not, what changes would you
like to see?

-Kees

--
Kees Cook
Pixel Security